Storage security gains users' attention

SNIA forum proposes best practices

By Lisa Coleman

While a recent Storage Networking Industry Association (SNIA) survey confirmed that users are still awaiting new security products and technologies for their storage networks, security start-up vendors say options exist today to meet those needs.

However, as would be expected, end users want security without significant performance degradation, and functionality without further complexity, according to "Enterprise Storage Security: Context, Challenges, and Solutions," a report compiled for SNIA's Storage Security Industry Forum (SSIF).

"End users want to start dealing with the security issue, but they don't know where to get started," says Mike Alvarado, chairman of the SSIF. "The second thing that's very important is that they want to deal with the security problem in the context of their overall business problems."

While users are concerned about storage security, and many have implemented some sort of security within their storage networks, most rely on inherent security features and options in vendors' storage products. And that is where there is a major disconnect, according to the study.

"Many storage vendors build their products assuming that the appropriate amount of network security has been implemented to appropriately secure the storage network. It seems that both end users and vendors rely on the other to produce security in the network; however, neither of them feels they are being considered as the primary owner of the task," according to the SNIA study. Therefore a minimal level of security is often implemented.

"The SSIF is going to serve as the force to bring the user community and vendors together on this issue," says Alvarado.

To achieve its goal, the SSIF drafted a best practices technical note (see sidebar, below), as well as a process for users to audit security in storage environments.

Users' security challenges

The top storage security concerns expressed by the 16 end-user companies that participated in the SNIA-SSIF security study include the following:

  • Incorrect configurations in switches or storage nodes, resulting in security breaches;
  • Storage application (including management and administrative) security exposures; and
  • Device-level security exposures.

Users also revealed that the application and management layers in their networks were of great concern since both have the ability to control several parts of the storage network. Unlike any other parts of the storage architecture, management applications can subvert or undermine security controls installed at the device, record, or block layers.

Management was the one process that users would be most willing to compromise to gain added security, according to the report. Users said they would change management methods and processes to gain another layer of security. However, they also said that loss of management functionality would not be acceptable.

Also of note, the report concluded that end users generally do not know how secure their storage environments are.

Start-ups address security

A handful of start-ups are tackling the challenge of storage security and are offering systems for securing storage network data by encrypting it and by controlling who and what devices have access to it.

However, before users explore new product options, they should examine their specific security needs, advises Nancy Marrone, senior analyst with the Enterprise Storage Group.

Click here to enlarge image


Understanding the implications to your company if your data is compromised is extremely important, says Marrone. How much would it cost the company if data were stolen? Using that figure, determine what kind of investment is affordable. Also, determine what data needs protecting (e.g., does the entire storage area network [SAN] need to be secure, or just specific data?).

Marrone also advises using existing security methods such as zoning and logical unit number (LUN) masking.

For the new encryption and authentication devices on the market today, users should ask vendors about encryption performance, how authentication and authorization are achieved, encryption key longevity and recovery, and potential points of failure.

Securing data in SAN and NAS

Currently, not all of the security products on the market work in both SAN and network-attached storage (NAS) environments.

Redwood City, CA-based Decru offers two products designed specifically for SAN and NAS environments. Its DataFort FC440 is designed for SANs, and the DataFort E440 is for NAS. The devices authenticate clients and encrypt data.

Also, DataFort appliances can be used with NAS heads linked to back-end SAN configurations. The E440 can be placed in front of a NAS head, or the FC440 can be positioned behind a NAS head.

"Most people put our box in front of the NAS head because it's client-aware, so you can see if someone is trying to read a file that he shouldn't be reading. We block that access," explains Dan Avida, president and CEO of Decru.

DataFort appliances can be clustered for load balancing and fail-over. In addition, the appliances offer long-term key management for restoring archival data that was encrypted with keys that have expired since the original encryption.

Last month, San Jose, CA-based Vormetric introduced its CoreGuard Security System, which includes software agents and appliances. The system provides encryption and data access control in direct-attached storage (DAS), SAN, or NAS environments.

The CoreGuard agent is a server-based thin agent that sends control signals to the CoreGuard appliance when it detects file calls or application/process instantiations. The appliance performs all the processing required for enforcing data access and preventing malicious host intrusion.

On a file-by-file basis, and as directed by rules set by the IT administrator, the agent sends actual data (in addition to the control signals) to the appliance. The appliance then encrypts this data at the rate of 1Gbps using 3DES data encryption with a latency of less than 500ms, according to company claims. The appliance also includes integrated load balancing and multi-path redundancy.

CoreGuard can also encrypt selectively via a MetaClear Encryption option. It encrypts everything in the file except its metadata—file name, creation date, etc.—so the file can be managed but not read.

"We de-couple access to data from viewability of data by selectively encrypting data-at-rest to separate data access privileges from data viewing privileges so that if somebody steals data it's rendered useless because it's encrypted," explains Bill Schroeder, CEO of Vormetric.

The entire CoreGuard system puts a "negligible" load on the host CPU (less than 2% of CPU cycles), according to Schroeder.

The system currently supports Solaris, with Linux support due within a month and Windows in the third quarter. Software agents cost $2,995 per server, and the appliance is priced at $29,500, or $39,500 with the MetaClear Encryption option.

Kasten Chase and NeoScale Systems also have security products that work in SAN environments. (Kasten Chase plans to announce a NAS version of its products later this year.)

In March, Kasten Chase acquired CipherShare Systems and its WorkSafe software, which provides secure file sharing and workgroup collaboration. Kasten Chase will incorporate that technology into its Assurency security product, which authenticates SAN-attached devices and provides encryption.

With its acquisition of CipherShare, Kasten Chase is moving toward "building an enterprise security architecture," says Hari Venkatacharya, a senior vice president at Kasten Chase.

By using the CipherShare technology, anyone who is collaborating on a document, for example, will be able to encrypt it and distribute keys for decrypting it to co-workers who need to work on the same document. Traditionally, this type of collaboration is accomplished by placing a document on a LAN, where anyone who has access to the LAN has access to the data on it.

In March, NeoScale Systems began shipping CryptoStor FC for disk storage and CryptoStor for Tape for secondary tape storage. CryptoStor FC provides encryption and is designed for SANs. CryptoStor for Tape provides encryption, authentication, and data compression for tape libraries and virtual tape systems.

CryptoStor encrypts at the block level and is not available for NAS. However, it can be deployed behind a NAS head, according to Scott Gordon, vice president of marketing at NeoScale.

The storage security horizon

"Eventually, security is going to be integrated into storage management applications," predicts the Enterprise Storage Group's Marrone. In fact, storage management software may offer more security options in the near future by discovering configuration changes and alerting the existing security system.

"It's starting to happen at a very rudimentary level," says Marrone. Today's SAN management solutions help IT managers configure zones and do LUN masking, which is the first step in securing the network. However, more security needs to be built into the management layer, according to Marrone.

SNIA develops storage security best practices

The Storage Networking Industry Association's "Best Practices for Ensuring Enterprise Storage Security" paper includes recommendations for creating security policies as the first step to overall storage security. These policies should cover privacy, authentication, confidentiality of specific types of information, and backup-and-restore requirements, as well as required levels of monitoring and auditing.

In addition to the policy guidelines, SNIA has also drawn up 13 best practices recommendations:

1) Identify all interfaces to the storage network.

2) Create a separate infrastructure for out-of-band management and control terminal interfaces to the storage network. If connectivity is required to the corporate LAN, provide it via a firewall or a secure router. Provide a dedicated remote access facility if this type of access is required, and use all appropriate network security tools such as virtual private networks (VPNs).

3) Maintain a set of formal best practices for storage security.

4) Protect data-in-flight and data-at-rest.

5) Use dedicated user IDs for storage network maintenance access, and enforce the use of passwords either by policy or by configuration. Use separate credentials for infrastructure configuration functions.

6) Define zones containing the smallest possible number of components, and use different zone sets for different system loads, such as off-hours backup time.

7) Use all available LAN security tools such as VLANs and IPSec.

8) Restrict access to infrastructure configuration functions. Control access to all unused ports in the storage network infrastructure. Wherever possible, configure infrastructure elements so that unused ports are specifically enabled before use, and so that newly attached devices are not automatically added to any zone. Always use hard zones in preference to soft zones.

9) Only install software and firmware on storage network components from authorized sources, and never do so when a device is connected to a production storage network. When such a procedure is necessary, swap out the equipment and use an isolated storage network for the process. Where possible, configure storage devices to not accept firmware upgrades via the storage network interfaces.

10) Always change default passwords before equipment is connected to a production storage network. Ensure that passwords are required by policy, and educate key personnel as to their importance.

11) Monitor the storage environment.

12) Stop external attacks (denial of service, viruses, etc.).

13) Keep in mind that port zoning has no cryptographic strength or attributes.

These best practices are still a work-in-progress, and SNIA is seeking user input. Users can send their comments to ssifchair@snia.org.

This article was originally published on May 01, 2003